diff --git a/server/app/helpers/models.py b/server/app/helpers/models.py
index b44f0af..5f2ab40 100644
--- a/server/app/helpers/models.py
+++ b/server/app/helpers/models.py
@@ -10,7 +10,10 @@ class User(BaseModel):
     id: Optional[PyObjectId] = Field(alias="_id", default=None)
     full_name: str
     email: str
-    password: str = Field(default=None, exclude=True)
     is_admin: bool = Field(default=False)
     created_at: datetime = Field(default_factory=lambda: datetime.now(timezone.utc))
     updated_at: datetime = Field(default_factory=lambda: datetime.now(timezone.utc))
+
+
+class UserInDB(User):
+    password: str
diff --git a/server/app/routes/auth.py b/server/app/routes/auth.py
index a6305a9..bcd6ed4 100644
--- a/server/app/routes/auth.py
+++ b/server/app/routes/auth.py
@@ -5,7 +5,7 @@
     InvalidEmailException,
 )
 from app.helpers.auth import compare_passwords, hash_password
-from app.helpers.models import User
+from app.helpers.models import User, UserInDB
 from app.helpers.session import Session, SessionManager
 from app.helpers.validators import is_valid_email, is_valid_password
 from app.services.db import db
@@ -43,7 +43,7 @@ async def signup(body: SignupBody):
     exists = bool(existing_user)
     if exists:
         raise HTTPException(status_code=409, detail="User already exists")
-    user_body = User(
+    user_body = UserInDB(
         full_name=body.full_name,
         email=body.email,
         password=hash_password(body.password),
@@ -51,7 +51,6 @@ async def signup(body: SignupBody):
     res = db.users.insert_one(user_body.model_dump())
     user = db.users.find_one({"_id": res.inserted_id})
     user = User.model_validate(user)
-    del user.password
     return {"user": user}
 
 
@@ -62,13 +61,13 @@ async def login(request: Request, body: LoginBody):
     user = db.users.find_one({"email": body.email})
     if not user:
         raise HTTPException(status_code=401, detail="Invalid credentials")
-    user = User.model_validate(user)
+    user = UserInDB.model_validate(user)
     match = compare_passwords(body.password, user.password)
     if not match:
         raise HTTPException(status_code=401, detail="Invalid credentials")
     # create session
     session_id = request.session["session_id"]
     session = SessionManager.get_session(session_id)
-    session.user = user
+    session.user = User.model_validate(user.model_dump())
     SessionManager.set_session(session.id, session)
     return {"session": session}
diff --git a/server/app/services/db.py b/server/app/services/db.py
index 736c5a4..17c6371 100644
--- a/server/app/services/db.py
+++ b/server/app/services/db.py
@@ -4,7 +4,7 @@
 
 from app.errors import MissingEnvException
 from app.helpers.auth import hash_password
-from app.helpers.models import User
+from app.helpers.models import UserInDB
 from app.services.env import ADMIN_EMAIL, ADMIN_PASSWORD, MONGODB_DB_NAME, MONGODB_URI
 
 
@@ -51,13 +51,13 @@ def setup_db(self):
             if not ADMIN_PASSWORD:
                 raise MissingEnvException("ADMIN_PASSWORD not found in environment variables")
             # not the most secure solution as env will be avaialbe after setup but it is quick
-            user = User(
+            user = UserInDB(
                 full_name="Admin",
                 email=ADMIN_EMAIL,
                 password=hash_password(ADMIN_PASSWORD),
                 is_admin=True,
             )
-            self._db["users"].insert_one(user.model_dump(include={"password"}))
+            self._db["users"].insert_one(user.model_dump())
 
         # binding collections
         self.sessions = self._db["sessions"]